Results 1 to 10 of 10
  • Topic Tools
  • Display
  • Bookmark and Share
  1. #1
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    42pfl7007g - Security Issue / JSON API Missing

    I have a 42pfl7007g smart tv which was integrated with my home automation system using the Philips JSON API ( http://jointspace.sourceforge.net/pr...1/doc/API.html ).

    Since the day I bought this TV, it had a security flaw with this JSON API that allows anyone to "extract" some internal data from linux, for exemple if I open the following URL: http://IP-OF-MY-TV:1925/etc/fstab I get the following:

    # /etc/fstab: static file system information.
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    /dev/root / auto rw,errors=remount-rw 0 0
    none /proc proc noauto 0 0
    none /sys sysfs noauto 0 0
    none /dev/pts devpts noauto,gid=5,mode=620 0 0
    none /dev/shm tmpfs noauto 0 0
    none /var/run tmpfs defaults 0 0
    #none /tmp tmpfs defaults 0 0

    Philips released a new firmware (L12M11L_1.5.12, 2014-04-28) that stated to solve this issue. After successfully installing this firmware, I can't use JSON API anymore (my home automation system can't change the TV volume anymore for exemple). If I try to open the following URL: http://IP-OF-MY-TV:1925/1/audio/volume I receive a "NOT FOUND" error, but I try again to open some linux files, for exemple: http://IP-OF-MY-TV:1925/etc/passwd it works!!

    root:x:0:0:root:/basic:/bin/sh

    Looks like that on this specific model (42pfl7007g) the bug was not solved AND all the JSON html files were deleted or moved.

    Is here the right place to report this?

  2. #2
    Moderator
    Points: 20,566, Level: 43
    Level completed: 80%, Points required for next Level: 184
    Overall activity: 99.7%
    Achievements:
    1000 Experience PointsNew Achievement!10000 Experience PointsVeteran
    Philips - Thomas's Avatar
    Join Date
    Jun 2011
    Posts
    1,921
    Points
    20,566
    Level
    43
    Thanks
    8
    Thanked 48 Times in 43 Posts
    Rep Power
    10
    Hi,

    thanks for reporting, yes your right here.
    We will look into this, i'll keep you posted.

    Regards
    Thomas

  3. #3
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Any news on this topic? Still no firmware release to solve the security issue AND the missing JSON API.

  4. #4
    Moderator
    Points: 20,566, Level: 43
    Level completed: 80%, Points required for next Level: 184
    Overall activity: 99.7%
    Achievements:
    1000 Experience PointsNew Achievement!10000 Experience PointsVeteran
    Philips - Thomas's Avatar
    Join Date
    Jun 2011
    Posts
    1,921
    Points
    20,566
    Level
    43
    Thanks
    8
    Thanked 48 Times in 43 Posts
    Rep Power
    10
    Hi,

    this Issue is fixed with the latest FW available on our Homepage.

    Regards
    Thomas

  5. #5
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Thomas,

    Unfortunately it is not working. I've downloaded the latest update (L12M11L_1.5.13) from Philips web site (url = http://download.p4c.philips.com/file...78_fus_brp.zip) and after updating the security failure was still there and the missing JSON htmls too.

    I checked on TV software version and it showed L12M11L_1.5.12 (.12 not .13) - I tried to update again but still .12. Then I downloaded it again but was still showing as .12.

    I think the new firmware was not uploaded on philips website, because the Autorun.upg inside the ZIP file was still showing 04/15/14 as creating date. Checking the sha1sum of the Autorun.upg it is equal from the original .12 version.

    Could you please check this?

    Thank you very much!

    Renato

  6. #6
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thomas,

    The firmware was uploaded today and the security issue seems fixed. But on this new firmware the JSON API is still missing.

    Example: with the orignal firmware, I could open on my web browser the URL:
    http://ip-address:1925/1/audio/volume

    and I would get for response something like this:
    {
    "muted": false,
    "current": 18,
    "min": 0,
    "max": 60
    }

    With the new firmware, I only get a "Not Found" message.

    Can you make this message get on hands of the people responsible for the firmwares to check this? While this isn't fixed, is there somewhere I can download olds firmware? Im not sure, but I think I was using L12M11L_1.5.02 when the JSON API was fully working.

    Thanks

  7. #7
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Anyone??? I need to downgrade my TV firmware, because current (latest) firmware is buggy. How do I do that?

  8. #8
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    No one from Philips can help me with this??? The JSON API was working on my TV before the firmware upgrade and now it is not working anymore!! Just get me an old firmware to get back as it was and I'm ok. PLEASE!!!

  9. #9
    Moderator
    Points: 20,566, Level: 43
    Level completed: 80%, Points required for next Level: 184
    Overall activity: 99.7%
    Achievements:
    1000 Experience PointsNew Achievement!10000 Experience PointsVeteran
    Philips - Thomas's Avatar
    Join Date
    Jun 2011
    Posts
    1,921
    Points
    20,566
    Level
    43
    Thanks
    8
    Thanked 48 Times in 43 Posts
    Rep Power
    10
    Good Morning,

    some of the JSON API's had to be disabled because of possible security leaks, this has been done in previous Software updates.

    Regards
    Thomas

  10. #10
    New Member
    Points: 1,574, Level: 11
    Level completed: 8%, Points required for next Level: 276
    Overall activity: 0%
    Achievements:
    New Achievement!1 year registered1000 Experience Points

    Join Date
    Oct 2012
    Location
    Brazil
    Posts
    8
    Points
    1,574
    Level
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    This doesn't make sense, since on other philips tv models the JSON API is fully available. Still, why not to solve the security leak instead of cutting off the "affected" part?

    Anyway, I don't mind to use the TV with the security leak. Could you provide me some way to download the old firmware? It is very annoying not to be able to control the TV from my home automation.

    Thanks

Similar Topics

  1. HbbTV potential security issue
    By 8o8 in forum TV: Software 2012 models
    Replies: 1
    Last Post: 07-09-2014, 03:16 PM
  2. Security issue
    By sissy in forum Smart TV: Software
    Replies: 1
    Last Post: 02-20-2014, 07:51 AM
  3. Suggestions and fixes for next firmware 42PFL7007G
    By Animador3d in forum TV: Software 2012 models
    Replies: 0
    Last Post: 03-11-2013, 09:00 PM
  4. Control your ambilight with JSON (2011 TVs)
    By matthias in forum TV: Streaming & Network
    Replies: 2
    Last Post: 05-19-2012, 01:05 AM
  5. Missing picture settings (PC mode issue?) on 32PFL4606G
    By dsvilko in forum TV: User Interface
    Replies: 1
    Last Post: 02-22-2012, 09:16 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •